Summary
Structure
The starting bytes, ac ed 00 05
are a known signature for JAVA serialized objects. (rO0
Base64-Encoded)
Practising with Ysoserial
Entry point
Servlet.java:38 Serial.fromBase64(data);
Serial.fromBase64(data);
This line is calling the classSerial
, loaded from Serial.java
passing the data taken from the POST "data" parameter
.
Serial Class
Decoding Base64-encoded object
Reading Object
At this time, using readObject()
, the object is loaded.
Identifying vulnerable loaded classes
This webapp is compiled with commons-collections4:4.0
specified on its classpath.
(target/bin/webapp
:80
) and it is also listed in ysoserial's vulnerable classes list.
Ysoserial payload generation
Last updated